Log from the meeting.
/Magnus
[22:23:22] <Zorry> 1,0 Toolchain
[22:23:37] <Zorry> gcc 4.6.3 and 4.7.0 is in the overlay
[22:24:03] <Zorry> 4.8 is on the testing repo
[22:24:28] <Zorry> h-s fail to compile on 4.7
[22:24:52] <Zorry> and still no unmask of 4.6.x
[22:24:53] <lejonet> Isn't it so that the fancy plugins haven't been updated too?
[22:24:58] <Zorry> yep
[22:25:47] <Zorry> else i don't have that mutch
[22:26:19] <Zorry> any one else have some thing?
[22:26:49] <Zorry> next
[22:26:55] <Zorry> 3.0 Selinux
[22:27:12] <SwifT> ok
[22:27:16] <blueness> i'm so sorry guys
[22:27:22] <blueness> i was tied up at the college
[22:27:34] <Zorry> blueness: you after selinux
[22:27:51] <Zorry> SwifT: go
[22:27:52] <blueness> Zorry, yes of course
[22:28:00] <SwifT> the 20120215 policies and 20120217 userspace has been moved to the main tree (~arch for now), we're targeting stabilization end of this month
[22:28:28] <SwifT> I'm currently trying to build selinux-enabled hardened stages to see if that can greatly simplify our installation process
[22:28:49] <SwifT> I think it can, and would be a good addition as currently the installation process takes a lot of time
[22:29:18] <Zorry> +1
[22:29:27] <lejonet> SwifT: that would be awesome
[22:29:28] <SwifT> I also filed quite a few enhancement suggestions (as bugreports) on bugzie, partially to support twitch153 in his quest to find a good bug to provide a patch for for his GSoC
[22:29:42] <SwifT> but I'm also going to take a stab at those in the near future
[22:30:16] <SwifT> beyond that, I'm going to be a bit more active on the docs regarding selinux again, as we have to make sure all selinux users know how to properly handle their own policies (and extend them)
[22:30:50] <SwifT> upstream has been quite silent in its acceptance of upstream patches, so we might want to only track the vital patches ourselves, and have the users do their specific patches.
[22:31:06] <SwifT> not sure on the last thing here, still trying to set my mind on it
[22:31:32] <SwifT> on one hand, it's easy for me/us to update our policy to be quite finished/polished
[22:31:48] <blueness> SwifT, are the patches gentoo specific, is that why upstream is ignoring?
[22:31:56] <SwifT> on the other hand, if upstream doesn't track them easily anymore, we might have hundreds of patches here which we need to refactor with each new major release
[22:32:05] <prometheanfire> blueness: not much traffic
[22:32:09] <prometheanfire> at all
[22:32:10] <SwifT> no, they're ignoring other people's patches as well
[22:32:21] <blueness> oh dear
[22:32:39] <SwifT> I'm guessing they're focusing more on their internal projects or on CIL
[22:32:49] <blueness> are those policies also pushed down to fedora and other distros?
[22:33:21] <SwifT> I still position refpolicy for that... the patches we sent to refpolicy are being integrated in fedora and others the moment they update their base refpolicy
[22:33:39] <blueness> if it gets bad enough contact the maintainers for other distros and see about co-operation on maintenance of patches
[22:33:41] <SwifT> if refpolicy falls out, it'll become a bit more difficult to combine and find synergies
[22:34:04] <blueness> right
[22:34:05] <SwifT> fedora is generally less "pushy" on its patches because it has a somewhat different set of principles
[22:34:18] <SwifT> in a security field, principles are important to keep a coherent set of policies
[22:34:34] <SwifT> for now, ours (gentoo) is that we track refpolicy as much as possible
[22:34:49] <SwifT> we might need to revisit that if it stays low on activity
[22:35:38] <SwifT> pebenito's been gone from irc lately as well
[22:35:49] <klondike2> SwifT, if upstream dies fork it and be the new upstream thatŽs the free software way
[22:35:52] <SwifT> so it might just be that he's too busy or has some personal thinsg to take care of
[22:36:30] <SwifT> maintaining the policies for gentoo isn't all that hard, but it's way easier if there are more eyes looking at the patches
[22:36:43] <SwifT> especially for selinux, because it's security policies
[22:36:52] <klondike2> SwifT, so fork it along with other distros using it :P
[22:37:11] <SwifT> I'll wait a bit first, push out some more patches and see what happens
[22:37:34] <SwifT> but if nothing changes by the next meeting we have, I might go on and suggest something )
[22:37:37] <SwifT> ;)
[22:37:41] <prometheanfire> :D
[22:37:42] <SwifT> that's all I have on selinux
[22:38:05] <Zorry> any one else?
[22:38:13] <blueness> i agree with klondike2 that you are in a good position to become a new upstream if we get there
[22:38:15] <xvilka> hardened debian may be have similar policies way?
[22:38:44] <blueness> xvilka, all selinux distros have similar policy needs
[22:39:13] <SwifT> yes, and still they're all somewhat different ;)
[22:39:29] <SwifT> gentoo still has a high focus on full confinement
[22:39:37] <SwifT> other distributions focus primarily on targeted
[22:39:45] <blueness> yah
[22:39:52] <SwifT> we still support UBAC, others don't
[22:40:09] <SwifT> why? because it's hard to support it if you're not focusing on full confinement ;)
[22:40:43] <blueness> SwifT, the full confinement is definitely a plus
[22:40:49] <SwifT> pebenito already took some approaches to ensure better community support in refpolicy by introducing a "contrib/" repo, but I don't know who has commit access there
[22:41:02] <blueness> even back in my redhat days i only could do targeted
[22:41:12] <blueness> only with gentoo have i succeeded at strict
[22:41:27] <prometheanfire> it's because we are cool
[22:41:32] <SwifT> rhel supports targeted-minus-unconfined (which we call "strict") but there aren't that many out there
[22:41:41] <blueness> prometheanfire, its because swift works his butt off!
[22:41:48] <prometheanfire> yes :D
[22:41:59] <SwifT> I hate targeted :p
[22:42:02] <SwifT> it's too... lazy
[22:42:13] <klondike2> I hate :P
[22:42:27] -*- xvilka going to setup selinux+posgresql selinux properties.
[22:43:17] <blueness> SwifT, keep up posted about upstream and if we need to become upstream and you need help, i think we can do that
[22:43:59] <SwifT> if it needs to be, I'll first ask around in #selinux, there are many guys like dominick grift and such almost 24/7 available there with much more expertise on selinux than I
[22:44:41] <SwifT> i'll also mail pebenito and ask him what might be causing delays and if we can support him in any way on it
[22:44:59] <klondike2> SwifT, but if nobody gives the first step patches will start accumulating
[22:45:44] <klondike2> !seen pebenito
[22:45:44] <willikins> klondike2: PeBenito was last seen 2 days, 1 hour, 37 minutes and 33 seconds ago, quitting IRC (Quit: avc: granted { sigkill } for pid=6645 exe=/usr/bin/xchat)
[22:46:04] <klondike2> U_U
[22:46:35] <blueness> next?
[22:46:43] <SwifT> yup, next
[22:47:22] <blueness> Zorry, ?
[22:47:47] <Zorry> 2.0 Kernel
[22:47:56] <blueness> k
[22:48:11] <blueness> first let me appologize again for being late, i has working with students
[22:48:36] <blueness> the first thing about the hardened kernel is that now 3 branches are being supported by grsec/pax team
[22:48:51] <blueness> they're still supporting 2.6.32 even though upstream has stop at .59
[22:49:24] <blueness> so brad is also backporting fixes to that kernel. people shouldn't worry that the kernel folk have dropped 2.6.32
[22:49:45] <blueness> any bugs/security issues on it are being taken care of in the grsec patchs.
[22:49:56] <blueness> some servers out there still have to use 2.6.32 so that's good news
[22:50:21] <blueness> the others are 3.2.x which is considered also stable by grsec team
[22:50:28] <blueness> and 3.3.x which is testing
[22:51:12] <blueness> i'm about to stabilize 2.6.32-r95 and 3.2.11 which work on all the boxes that people wanted me to test on including Chainsaw's HP he sent from england
[22:51:19] <blueness> probably tomorrow
[22:51:48] <blueness> and that's about it for kernel. i'm still waiting for the end of semester to finish writing a userland utility to do xattr pax
[22:52:00] <blueness> then that work will be "complete" except for bug fixes
[22:52:03] <prometheanfire> https://docs.google.com/a/mthode.org/spreadsheet/ccc?key=0AjK9oTC6oiO7dHB6NjJiVDVWVnpzazhfR0ZfR2hDM3c&pli=1#gid=0
[22:52:25] <prometheanfire> that's the status of kernel testing, going to test amd kvm this month, but I expect the same results as intel
[22:52:27] <SwifT> if that's NSFW I'll kill you
[22:52:28] <blueness> that's enough for me prometheanfire talk about the virt stuff
[22:53:03] <blueness> looks like uderef is the problem
[22:53:22] <prometheanfire> this is for host kernel options and cpu types and how they effect guest perf
[22:53:40] <prometheanfire> ya, if you have a new cpu, kernexec works fine, uderef sucks no mater what
[22:53:56] <blueness> so ideal situation is nested pagest
[22:54:49] <blueness> prometheanfire, did you point any of this out to brad, he was pushing for both udered and kernexec but i just don't see it working
[22:55:04] <prometheanfire> I've told him, but I'll tell him again
[22:55:36] <prometheanfire> we never invited spender or pipacs to the meeting, just noticed
[22:55:47] <blueness> because he didn't want to accept my VIRTUALIZATION settings saying he wanted both uderef and kernexec
[22:56:09] <blueness> but i explained i had to go with the lowest denominator
[22:56:17] <xvilka> yes, both are good :)
[22:56:21] <Zorry> prometheanfire: i did post time on hardened ml
[22:56:29] <prometheanfire> I think he'll have to split the virt down to kernexec toggling
[22:56:31] <blueness> the settings that would work on the worst case scenerio cpu
[22:56:34] <prometheanfire> Zorry: good point
[22:56:51] <prometheanfire> he wants to be VERY fine grained
[22:57:06] <prometheanfire> but that's it for me
[22:57:57] <Zorry> blueness: any time line for h-s and gcc-4.7.x ?
[22:58:16] <blueness> Zorry, i haven't tested at all
[22:58:31] <Zorry> blueness: the gcc-plugins fail
[22:58:33] <blueness> 4.7 just hit the overlay, i can try after the meeting
[22:58:37] <blueness> i figured
[22:58:52] <blueness> do you know what the breakage is?
[22:59:42] <Zorry> gcc-4.7 have change some of the plugins api
[23:01:08] <Zorry> that is all from me
[23:01:11] <Zorry> next?
[23:01:17] <blueness> Zorry, i'll try after the meeting and see if i can figure out what the api change is
[23:01:21] <blueness> it might be an easy fix
[23:01:31] <Zorry> k
[23:01:51] <Zorry> 4.0 Gresec/PaX then
[23:01:58] <blueness> me again!
[23:02:28] <blueness> no new developments, as i said above, i have yet to write the userland utility for xattr pax
[23:02:49] <blueness> you don't strickly speaking need one sinc eyou can use setfattr or getfatttr
[23:02:52] <blueness> but
[23:02:58] <klondike2> only new bugs... :P
[23:03:17] <blueness> its nice to have a utility that will migrate say pt_pax to xt_pax
[23:03:37] <blueness> klondike2, always! you just have to kill them one at a time
[23:03:55] <klondike2> Yeah, yeah I know
[23:04:15] <blueness> actually paxctl-ng did do that but the format was for my implementation of xt_pax not the one adopted by pipacs
[23:04:38] <blueness> klondike2, it might even be possible to just do this with a script
[23:05:05] <blueness> anyhow, that's it for grsec/pax
[23:05:20] <klondike2> blueness, when does semester end?
[23:05:25] <blueness> 3 weeks
[23:05:50] <blueness> Zorry, can i mention stuff about uclibc?
[23:06:01] <Zorry> blueness: go
[23:06:41] <blueness> i've been tracking uclibc upstream closely and there have been some important fixes, mostly having to do with static linking
[23:06:56] <blueness> an ancient bug of mine was closed -> https://bugs.busybox.net/show_bug.cgi?id=1543
[23:07:21] <blueness> so uclibc-0.9.33.1 is working well in amd64
[23:07:40] <blueness> with i686 i have to return to a bug that made gcc-4.6.3 fail to compile
[23:08:17] <blueness> mips i hit a similar bug as with i686 fails to compile 4.6.3
[23:08:30] <blueness> and ppc had other issues which I didn't have time to return to
[23:08:55] <blueness> but during the summer the plan is to have hardened uclibc i686, amd64, ppc, mips and arm
[23:09:34] <blueness> i have to bring the stuff back into the main tree too, but i think i see a way to do that and keep everyone happy, vapier didn't like my minimalist approach to the uclibc ebuild
[23:10:01] <blueness> so that's where i'm heading with that ... side story ... my home router (a gentoo box) died yesterd
[23:10:17] <blueness> the new one is running amd64 uclibc
[23:10:27] <blueness> works great, very snappy
[23:10:32] <SwifT> oh yes, the free-drinks announcement
[23:10:33] <SwifT> ;)
[23:10:34] <blueness> <end>
[23:10:49] <blueness> yeah, that's right i was supposed to buy you all drinks to celebrate
[23:10:49] <Zorry> next then?
[23:10:54] <blueness> yes next
[23:10:59] <blueness> unless there are questions
[23:11:11] <Zorry> 5.0 Profiles
[23:12:09] <Zorry> i don't have anything on it
[23:12:15] <Zorry> SwifT: or blueness ?
[23:12:39] <blueness> Zorry, nope, profiles are perfect ... ehhe
[23:12:49] <SwifT> there was a report on updating selinux to force python[xml] but I'm not able to reproduce as the profile we have should already do so
[23:13:17] <SwifT> libselinux or libsemanage uses the python eclass and asks it to use XML, so...
[23:13:34] <SwifT> I marked the bug as needinfo iirc for now
[23:13:42] <SwifT> didn't hear anything about it since
[23:14:14] <Zorry> k
[23:14:31] <Zorry> next
[23:14:48] <Zorry> 6.0 Docs
[23:15:02] <Zorry> SwifT: klondike
[23:15:17] <SwifT> nothing from my part (all docs changes made are on non-hardened stuff lately)
[23:16:00] <SwifT> i'm using hardened / selinux in a new online doc I'm writing though (http://swift.siphos.be/aglara) but that's beyond the gentoo docs ;)
[23:17:02] <Zorry> okay
[23:17:10] <Zorry> next then?
[23:17:24] <klondike2> hum
[23:17:34] <klondike2> Progress on the revdep-pax doc
[23:17:50] <klondike2> but need some enhancements for it to make sense
[23:18:15] <klondike2> Other than that little more, donŽt have that much time lately :(
[23:18:51] <blueness> klondike2, yeah i will get to that too, ie the enhencements
[23:20:30] <Zorry> next then?
[23:20:38] <klondike2> yup
[23:20:45] <Zorry> 7.0 Bugs
[23:22:15] <blueness> well, i didn't want to bring it up, but the python rwx mapping was/wasn't fixed
[23:22:29] <Zorry> was thinking of that bug
[23:22:45] <Zorry> we need to bug libffi
[23:22:46] <blueness> i'm so confused as to the status of that whole thing
[23:23:28] <blueness> the last comment was that pax changed again and made the last fix not work anymore
[23:23:51] <Zorry> i think 2.7.3 have the patch but libffi still miss the needed stuff
[23:23:55] <blueness> https://bugs.gentoo.org/show_bug.cgi?id=329499#c100
[23:24:04] <blueness> Zorry, okay
[23:26:02] <blueness> no more? open floor?
[23:26:12] <Zorry> in short libffi still need the fix
[23:27:42] <Zorry> so we need to open a bug for libffi and make patch that is okay
[23:27:57] <Zorry> any one else?
[23:28:26] <klondike2> hum
[23:28:29] <klondike2> media
[23:28:39] <Zorry> okay next
[23:28:42] <klondike2> we had some questions on twitter 2 days ago
[23:28:46] <Zorry> 8.0 Media
[23:28:59] <klondike2> but identi.ca is mostly dead so may close it
[23:29:47] <Zorry> k
[23:29:52] <klondike2> IŽd like comments on that though
[23:30:06] <klondike2> Anybody against closing the identi.ca account?
[23:30:14] <Zorry> fine by me
[23:31:43] <blueness> klondike2, nah squat on the name
[23:31:56] <blueness> does it hurt leaving it open?
[23:32:01] <klondike2> nope
[23:32:14] <klondike2> but I may not answer :P
[23:32:17] <blueness> well i don't really have strong feelings, you decide
[23:32:36] <klondike2> okey we keep it but we say we are not using it anymore
[23:32:43] <blueness> sure
[23:32:50] <blueness> suggest other means of contacting us
[23:33:01] <klondike2> okey
[23:34:47] <klondike2> thatŽs it from me
[23:34:59] <klondike2> so next?
[23:35:00] <Zorry> okay
[23:35:08] <Zorry> 9.0 Open floor
[23:36:19] <Zorry> i will be busy with my tinderbox project
[23:36:23] <blueness> nothing really we coverd it all
[23:37:26] <blueness> (the weather is so nice here ... moving to the front porch brb)
[23:37:52] <Zorry> we did have snow here :(
[23:38:16] <klondike2> xD
[23:38:22] <klondike2> umeå sucks :P
[23:38:33] <klondike2> it is okey in göteborg
[23:39:33] <klondike2> så säger lärare :P
[23:40:04] <Zorry> okay next meeting will be in 4 weeks i hope
[23:40:07] <Zorry> next*
[23:40:42] <Zorry> ty all for the meeting
[23:40:54] <prometheanfire> :D
[23:41:23] <klondike2> vi ses då
